Network Working Group R. Pethia 
Request for Comments: 1281 Software Engineering Institute 
S. Crocker 

Trusted Information Systems, Inc. 

B. Fraser 

Software Engineering Institute 

November 1991 


Guidelines for the Secure Operation of the Internet 


Status of this Memo 


This memo provides information for the Internet community. It does 
not specify an Internet standard. Distribution of this memo is 
unlimited. 

Preamble 


The purpose of this document is to provide a set of guidelines to aid 
in the secure operation of the Internet. During its history, the 
Internet has grown significantly and is now quite diverse. Its 
participants include government institutions and agencies, academic 
and research institutions, commercial network and electronic mail 
carriers, non-profit research centers and an increasing array of 
industrial organizations who are primarily users of the technology. 
Despite this dramatic growth, the system is still operated ona 
purely collaborative basis. Each participating network takes 
responsibility for its own operation. Service providers, private 
network operators, users and vendors all cooperate to keep the system 
functioning. 


It is important to recognize that the voluntary nature of the 
Internet system is both its strength and, perhaps, its most fragile 
aspect. Rules of operation, like the rules of etiquette, are 
voluntary and, largely, unenforceable, except where they happen to 
coincide with national laws, violation of which can lead to 
prosecution. A common set of rules for the successful and 
increasingly secure operation of the Internet can, at best, be 
voluntary, since the laws of various countries are not uniform 
regarding data networking. Indeed, the guidelines outlined below 
also can be only voluntary. However, since joining the Internet is 
optional, it is also fair to argue that any Internet rules of 
behavior are part of the bargain for joining and that failure to 
observe them, apart from any legal infrastructure available, are 
grounds for sanctions. 


Pethia, Crocker, & Fraser [Page 1] 


RFC 1281 Guidelines for the Secure Operation November 1991 


Introduction 


These guidelines address the entire Internet community, consisting of 
users, hosts, local, regional, domestic and international backbone 
networks, and vendors who supply operating systems, routers, network 
management tools, workstations and other network components. 


Security is understood to include protection of the privacy of 
information, protection of information against unauthorized 
modification, protection of systems against denial of service, and 
protection of systems against unauthorized access. 


These guidelines encompass six main points. These points are 
repeated and elaborated in the next section. In addition, a 
bibliography of computer and network related references has been 
provided at the end of this document for use by the reader. 


Security Guidelines 


(1) Users are individually responsible for understanding and 
respecting the security policies of the systems (computers and 
networks) they are using. Users are individually accountable 
for their own behavior. 


(2) Users have a responsibility to employ available security 
mechanisms and procedures for protecting their own data. They 
also have a responsibility for assisting in the protection of 
the systems they use. 


(3) Computer and network service providers are responsible for 
maintaining the security of the systems they operate. They are 
further responsible for notifying users of their security 
policies and any changes to these policies. 


(4) Vendors and system developers are responsible for providing 
systems which are sound and which embody adequate security 
controls. 


(5) Users, service providers, and hardware and software vendors are 
responsible for cooperating to provide security. 


(6) Technical improvements in Internet security protocols should be 
sought on a continuing basis. At the same time, personnel 
developing new protocols, hardware or software for the Internet 
are expected to include security considerations as part of the 
design and development process. 


Pethia, Crocker, & Fraser [Page 2] 


RFC 1281 Guidelines for the Secure Operation November 1991 


Elaboration 


(1) Users are individually responsible for understanding and 
respecting the security policies of the systems (computers and 
networks) they are using. Users are individually accountable 
for their own behavior. 


Users are responsible for their own behavior. Weaknesses in 

the security of a system are not a license to penetrate or 

abuse a system. Users are expected to be aware of the security 
policies of computers and networks which they access and to 
adhere to these policies. One clear consequence of this 
guideline is that unauthorized access to a computer or use of a 
network is explicitly a violation of Internet rules of conduct, 
no matter how weak the protection of those computers or networks. 


There is growing international attention to legal prohibition 
against unauthorized access to computer systems, and several 
countries have recently passed legislation that addresses the 
area (e.g., United Kingdom, Australia). In the United States, 
the Computer Fraud and Abuse Act of 1986, Title 18 U.S.C. 
section 1030 makes it a crime, in certain situations, to access 
a Federal interest computer (federal government computers, 
financial institution computers, and a computer which is one of 
two or more computers used in committing the offense, not all of 
which are located in the same state) without authorization. 
Most of the 50 states in the U.S have similar laws. 


Another aspect of this part of the policy is that users are 
individually responsible for all use of resources assigned to 
them, and hence sharing of accounts and access to resources is 
strongly discouraged. However, since access to resources is 
assigned by individual sites and network operators, the 
specific rules governing sharing of accounts and protection of 
access is necessarily a local matter. 


(2) Users have a responsibility to employ available security 
mechanisms and procedures for protecting their own data. They 
also have a responsibility for assisting in the protection of 
the systems they use. 


Users are expected to handle account privileges ina 
responsible manner and to follow site procedures for the 
security of their data as well as that of the system. For 
systems which rely upon password protection, users should 
select good passwords and periodically change them. Proper 
use of file protection mechanisms (e.g., access control lists) 
so as to define and maintain appropriate file access control 


Pethia, Crocker, & Fraser [Page 3] 


RFC 1281 Guidelines for the Secure Operation November 1991 


is also part of this responsibility. 


(3) Computer and network service providers are responsible for 
maintaining the security of the systems they operate. They are 
further responsible for notifying users of their security 
policies and any changes to these policies. 


A computer or network service provider may manage resources on 
behalf of users within an organization (e.g., provision of 
network and computer services with a university) or it may 
provide services to a larger, external community (e.g., a 
regional network provider). These resources may include host 
computers employed by users, routers, terminal servers, personal 
computers or other devices that have access to the Internet. 


Because the Internet itself is neither centrally managed nor 
operated, responsibility for security rests with the owners and 
operators of the subscriber components of the Internet. 
Moreover, even if there were a central authority for this 
infrastructure, security necessarily is the responsibility of 
the owners and operators of the systems which are the primary 
data and processing resources of the Internet. 


There are tradeoffs between stringent security measures at a 
site and ease of use of systems (e.g., stringent security 
measures may complicate user access to the Internet). If a site 
elects to operate an unprotected, open system, it may be 
providing a platform for attacks on other Internet hosts while 
concealing the attacker’s identity. Sites which do operate 
open systems are nonetheless responsible for the behavior of 
the systems’ users and should be prepared to render assistance 
to other sites when needed. Whenever possible, sites should 
try to ensure authenticated Internet access. The readers are 
directed to appendix A for a brief descriptive list of elements 
of good security. 


Sites (including network service providers) are encouraged to 
develop security policies. These policies should be clearly 
communicated to users and subscribers. The Site Security 
Handbook (FYI 8, RFC 1244) provides useful information and 
guidance on developing good security policies and procedures 
at both the site and network level. 


(4) Vendors and system developers are responsible for providing 


systems which are sound and which embody adequate security 
controls. 


Pethia, Crocker, & Fraser [Page 4] 


RFC 1281 Guidelines for the Secure Operation November 1991 


A vendor or system developer should evaluate each system in 
terms of security controls prior to the introduction of the 
system into the Internet community. Each product (whether 
offered for sale or freely distributed) should describe the 
security features it incorporates. 


Vendors and system developers have an obligation to repair 
flaws in the security relevant portions of the systems they 
sell (or freely provide) for use in the Internet. They are 
expected to cooperate with the Internet community in 
establishing mechanisms for the reporting of security flaws and 
in making security-related fixes available to the community in 
a timely fashion. 


(5) Users, service providers, and hardware and software vendors are 
responsible for cooperating to provide security. 


The Internet is a cooperative venture. The culture and 
practice in the Internet is to render assistance in security 
matters to other sites and networks. Each site is expected to 
notify other sites if it detects a penetration in progress at 
the other sites, and all sites are expected to help one another 
respond to security violations. This assistance may include 
tracing connections, tracking violators and assisting law 
enforcement efforts. 


There is a growing appreciation within the Internet community 
that security violators should be identified and held 


accountable. This means that once a violation has been detected, 
sites are encouraged to cooperate in finding the violator and 
assisting in enforcement efforts. It is recognized that many 


sites will face a trade-off between securing their sites as 
rapidly as possible versus leaving their site open in the hopes 
of identifying the violator. Sites will also be faced with the 
dilemma of limiting the knowledge of a penetration versus 
exposing the fact that a penetration has occurred. This policy 
does not dictate that a site must expose either its system or 
its reputation if it decides not to, but sites are encouraged 
to render as much assistance as they can. 


(6) Technical improvements in Internet security protocols should be 
sought on a continuing basis. At the same time, personnel 
developing new protocols, hardware or software for the Internet 
are expected to include security considerations as part of the 
design and development process. 


The points discussed above are all administrative in nature, 
but technical advances are also important. Existing protocols 


Pethia, Crocker, & Fraser [Page 5] 


RFC 1281 


Guidelines for the Secure Operation November 1991 


and operating systems do not provide the level of security that 
is desired and feasible today. Three types of advances are 
encouraged: 


(a) Improvements should be made in the basic security 
mechanisms already in place. Password security is 
generally poor throughout the Internet and can be 
improved markedly through the use of tools to administer 
password assignment and through the use of better 
authentication technology. At the same time, the 
Internet user population is expanding to include a 
larger percentage of technically unsophisticated users. 
Security defaults on delivered systems and the controls 
for administering security must be geared to this growing 
population. 


(b) Security extensions to the protocol suite are needed. 
Candidate protocols which should be augmented to improve 
security include network management, routing, file 
transfer, telnet, and mail. 


(c) The design and implementation of operating systems should 
be improved to place more emphasis on security and pay 
more attention to the quality of the implementation of 
security within systems on the Internet. 


APPENDIX A 


Five 


(1) 


Pethia, 


areas should be addressed in improving local security: 


There must be a clear statement of the local security policy, 
and this policy must be communicated to the users and other 
relevant parties. The policy should be on file and available 
to users at all times, and should be communicated to users as 
part of providing access to the system. 


Adequate security controls must be implemented. At a minimum, 
this means controlling access to systems via passwords, 
instituting sound password management, and configuring the 
system to protect itself and the information within it. 


There must be a capability to monitor security compliance and 
respond to incidents involving violation of security. Logs of 
logins, attempted logins, and other security-relevant events 
are strongly advised, as well as regular audit of these logs. 
Also recommended is a capability to trace connections and other 
events in response to penetrations. However, it is important 
for service providers to have a well thought out and published 


Crocker, & Fraser [Page 6] 


RFC 1281 Guidelines for the Secure Operation November 1991 


policy about what information they gather, who has access to it 
and for what purposes. Maintaining the privacy of network 
users should be kept in mind when developing such a policy. 


(4) There must be an established chain of communication and control 
to handle security matters. A responsible person should be 
identified as the security contact. The means for reaching the 
security contact should be made known to all users and should 
be registered in public directories, and it should be easy for 
computer emergency response centers to find contact information 
at any time. 


The security contact should be familiar with the technology and 
configuration of all systems at the site or should be able to 
get in touch with those who have this knowledge at any time. 
Likewise, the security contact should be pre-authorized to make 
a best effort to deal with a security incident, or should be 
able to contact those with the authority at any time. 


(5) Sites and networks which are notified of security incidents 
should respond in a timely and effective manner. In the case 
of penetrations or other violations, sites and networks should 
allocate resources and capabilities to identify the nature of 
the incident and limit the damage. A site or network cannot be 
considered to have good security if it does not respond to 
incidents in a timely and effective fashion. 


If a violator can be identified, appropriate action should be 
taken to ensure that no further violations are caused. Exactly 
what sanctions should be brought against a violator depend on 
the nature of the incident and the site environment. For 
example, a university may choose to bring internal disciplinary 
action against a student violator. 


Similarly, sites and networks should respond when notified of 


security flaws in their systems. Sites and networks have the 
responsibility to install fixes in their systems as they become 
available. 


Pethia, Crocker, & Fraser [Page 7] 


RFC 1281 Guidelines for the Secure Operation November 1991 


A Bibliography of Computer and Network Security Related Documents 


United 


[1] 


[2] 


[3] 


[4] 


[5] 


[6] 


[7] 


[8] 


States Public Laws (PL) and Federal Policies 


P.L. 100-235, "The Computer Security Act of 1987", (Contained in 
Appendix C of Citation No. 12, Vol II.), Jan. 8, 1988. 


P.L. 99-474 (H.R. 4718), "Computer Fraud and Abuse Act of 1986", 
Oct. 16, 1986. 


P.L. 99-508 (H.R. 4952), "Electronic Communications Privacy Act 
of 1986", Oct. 21, 1986. 


P.L. 99-591, "Paperwork Reduction Reauthorization Act of 1986", 
Oct. 30, 1986. 


P.L. 93-579, "Privacy Act of 1984", Dec. 31, 1984. 


"National Security Decision Directive 145", (Contained in 
Appendix C of Citation No. 12, Vol II.). 


"Security of Federal Automated Information Systems", (Contained 
in Appendix C of Citation No. 12, Vol II.), Appendix III of, 
Management of Federal Information Resources, Office of Management 
and Budget (OMB), Circular A-130. 


"Protection of Government Contractor Telecommunications", 
(Contained in Appendix C of Citation No. 12, Vol II.), National 
Communications Security Instruction (NACSI) 6002. 


Other Documents 


[9] 


[10] 


[11] 


[12] 


Pethia, 


Secure Systems Study Committee, "Computers at Risk: Safe 
Computing in the Information Age", Computer Science and 
Technology Board, National Research Council, 2101 Constitution 
Avenue, Washington, DC 20418, December 1990. 


Curry, D., “Improving the Security of Your UNIX System", Report 
No. ITSTD-721-FR-90-21, SRI International, 333 Ravenswood Ave., 
Menlo Park, CA, 94025-3493, April 1990. 


Holbrook P., and J. Reynolds, Editors, "Site Security Handbook", 
FYI 8, RFC 1244, CICNet, ISI, July 1991. 


"Industry Information Protection, Vols. I,II,III", Industry 


Information Security Task Force, President’s National 
Telecommunications Advisory Committee, June 1988. 


Crocker, & Fraser [Page 8] 


RFC 1281 Guidelines for the Secure Operation November 1991 


[13] 


[14] 


[15] 


[16] 


[17] 


Jelen, G., "Information Security: An Elusive Goal", Report No. 
P-85-8, Harvard University, Center for Information Policy 
Research, 200 Akin, Cambridge, MA. 02138, June 1985. 


"Electronic Record Systems and Individual Privacy", OTA-CIT-296, 
Congress of the United States, Office of Technology Assessment, 
Washington, D.C. 20510, June 1986. 


"Defending Secrets, Sharing Data", OTA-CIT-310, Congress of the 
United States, Office of Technology Assessment, Washington, D.C. 
20510, October 1987. 


"Summary of General Legislation Relating to Privacy and Computer 
Security", Appendix 1 of, COMPUTERS and PRIVACY: How the 
Government Obtains, Verifies, Uses and Protects Personal Data, 
GAO/IMTEC-90-70BR, United States General Accounting Office, 
Washington, DC 20548, pp. 36-40, August 1990. 


Stout, E., "U.S. Geological Survey System Security Plan - FY 
1990", U.S. Geological Survey ISD, MS809, Reston, VA, 22092, May 
1990. 


Security Considerations 


If security considerations had not been so widely ignored in the 
Internet, this memo would not have been possible. 


Pethia, 


Crocker, & Fraser [Page 9] 


RFC 1281 Guidelines for the Secure Operation November 1991 


Authors’ Addresses 


Richard D. Pethia 

Software Engineering Institute 
Carnegie Mellon University 
Pittsburgh, Pennsylvania 15213-3890 


Phone: (412) 268-7739 
FAX: (412) 268-6989 
EMail: rdp@cert.sei.cmu.edu 


Stephen D. Crocker 

Trusted Information Systems, Inc. 
3060 Washington Road 

Glenwood, Maryland 21738 


Phone: (301) 854-6889 
FAX: (301) 854-5363 


EMail: crocker@tis.com 
Barbara Y. Fraser 

Software Engineering Institute 
Carnegie Mellon University 


Pittsburgh, Pennsylvania 15213-3890 


Phone: (412) 268-5010 
FAX: (412) 268-6989 


EMail: byf@cert.sei.cmu.edu 


Pethia, Crocker, & Fraser [Page 10] 


